Givewp: Form Preview route URL should use SSL configuration.

Created on 24 Aug 2020  Â·  6Comments  Â·  Source: impress-org/givewp

User Story

As a user, I want to avoid mixed content warnings so that I can view the form in the Wizard.

Details

Loading the Form Preview in the Onboarding Wizard throws a mixed content warning and blocks the iframe.

Expected Behavior

The Form Preview route URL should match the http/https configuration used by the Onboarding Wizard.

Steps to Reproduce

  1. Go to the Onboarding Wizard
  2. Go to Step 4, Preview

Visuals

image

Acceptance Criteria

  • [ ] Form preview loads with http when the wizard uses http.
  • [ ] Form preview loads with https when the wizard uses https.
bug

All 6 comments

Looks like home_url() isn't considering is_ssl().

I would expect that is_ssl() would be taken into consideration:

If $scheme is ‘http’ or ‘https’, is_ssl() is overridden.

... but that doesn't seem to be the case.

image

A plugin like Really Simple SSL resolves the issue, which I think I would be using in production along side a certificate.

Because the Form iframe isn't in the admin, WordPress isn't honoring is_ssl(), rather it is defaulting to the value stored in the home option.

$url = get_option( 'home' );
// ...
if ( is_ssl() && ! is_admin() ) {
    $scheme = 'https';
} else {
    $scheme = parse_url( $url, PHP_URL_SCHEME );
}

The change that surfaced this issue is that I started using WP-CLI to automate refreshing my WordPress installation, in which I wasn't setting a protocol for ---url. Previously, I was using the browser based installer, which was pulling in the https from the URL.

@kjohnson This doesn't seem to be as serious as we first thought. Moving this out of the release and into cool-down.

Closing as this was resolved and merged in #5189.

Was this page helpful?
0 / 5 - 0 ratings